Security update for pacemaker SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1400-1 Final 1 1 2019-05-15T14:47:48Z current 2019-05-15T14:47:48Z 2019-05-15T14:47:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pacemaker This update for pacemaker fixes the following issues: Security issues fixed: - CVE-2019-3885: Fixed an information disclosure in log output. (bsc#1131357) - CVE-2018-16877: Fixed a local privilege escalation through insufficient IPC client-server authentication. (bsc#1131356) - CVE-2018-16878: Fixed a denial of service through insufficient verification inflicted preference of uncontrolled processes. (bsc#1131353) Non-security issue fixed: - crmd: delete resource from lrmd when appropriate to avoid timeouts with crmsh (bsc#1117381). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1400 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YPE4TWWC6FW57WVVOZ7ZZGIDXYSODXAF/#YPE4TWWC6FW57WVVOZ7ZZGIDXYSODXAF E-Mail link for openSUSE-SU-2019:1400-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1117381 SUSE Bug 1117381 https://bugzilla.suse.com/1131353 SUSE Bug 1131353 https://bugzilla.suse.com/1131356 SUSE Bug 1131356 https://bugzilla.suse.com/1131357 SUSE Bug 1131357 https://www.suse.com/security/cve/CVE-2018-16877/ SUSE CVE CVE-2018-16877 page https://www.suse.com/security/cve/CVE-2018-16878/ SUSE CVE CVE-2018-16878 page https://www.suse.com/security/cve/CVE-2019-3885/ SUSE CVE CVE-2019-3885 page openSUSE Leap 15.0 libpacemaker-devel-1.1.18+20180430.b12c320f5-lp150.2.9.1 libpacemaker3-1.1.18+20180430.b12c320f5-lp150.2.9.1 pacemaker-1.1.18+20180430.b12c320f5-lp150.2.9.1 pacemaker-cli-1.1.18+20180430.b12c320f5-lp150.2.9.1 pacemaker-cts-1.1.18+20180430.b12c320f5-lp150.2.9.1 pacemaker-remote-1.1.18+20180430.b12c320f5-lp150.2.9.1 libpacemaker-devel-1.1.18+20180430.b12c320f5-lp150.2.9.1 as a component of openSUSE Leap 15.0 libpacemaker3-1.1.18+20180430.b12c320f5-lp150.2.9.1 as a component of openSUSE Leap 15.0 pacemaker-1.1.18+20180430.b12c320f5-lp150.2.9.1 as a component of openSUSE Leap 15.0 pacemaker-cli-1.1.18+20180430.b12c320f5-lp150.2.9.1 as a component of openSUSE Leap 15.0 pacemaker-cts-1.1.18+20180430.b12c320f5-lp150.2.9.1 as a component of openSUSE Leap 15.0 pacemaker-remote-1.1.18+20180430.b12c320f5-lp150.2.9.1 as a component of openSUSE Leap 15.0 A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation. CVE-2018-16877 openSUSE Leap 15.0:libpacemaker-devel-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:libpacemaker3-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-cli-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-cts-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-remote-1.1.18+20180430.b12c320f5-lp150.2.9.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YPE4TWWC6FW57WVVOZ7ZZGIDXYSODXAF/#YPE4TWWC6FW57WVVOZ7ZZGIDXYSODXAF https://www.suse.com/security/cve/CVE-2018-16877.html CVE-2018-16877 https://bugzilla.suse.com/1131353 SUSE Bug 1131353 https://bugzilla.suse.com/1131356 SUSE Bug 1131356 A flaw was found in pacemaker up to and including version 2.0.1. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS CVE-2018-16878 openSUSE Leap 15.0:libpacemaker-devel-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:libpacemaker3-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-cli-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-cts-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-remote-1.1.18+20180430.b12c320f5-lp150.2.9.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YPE4TWWC6FW57WVVOZ7ZZGIDXYSODXAF/#YPE4TWWC6FW57WVVOZ7ZZGIDXYSODXAF https://www.suse.com/security/cve/CVE-2018-16878.html CVE-2018-16878 https://bugzilla.suse.com/1131353 SUSE Bug 1131353 A use-after-free flaw was found in pacemaker up to and including version 2.0.1 which could result in certain sensitive information to be leaked via the system logs. CVE-2019-3885 openSUSE Leap 15.0:libpacemaker-devel-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:libpacemaker3-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-cli-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-cts-1.1.18+20180430.b12c320f5-lp150.2.9.1 openSUSE Leap 15.0:pacemaker-remote-1.1.18+20180430.b12c320f5-lp150.2.9.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YPE4TWWC6FW57WVVOZ7ZZGIDXYSODXAF/#YPE4TWWC6FW57WVVOZ7ZZGIDXYSODXAF https://www.suse.com/security/cve/CVE-2019-3885.html CVE-2019-3885 https://bugzilla.suse.com/1131357 SUSE Bug 1131357